StarlingX

[Debian]: CVE: CVE-2022-37026: erlang a Client Authentication Bypass in certain client-certification situations

Bug #2018636 reported by Yue Tao on 2023-05-06

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	StarlingX	Fix Released	High	Zhixiong Chi

Bug Description

CVE-2022-37026: https://nvd.nist.gov/vuln/detail/CVE-2022-37026

In Erlang/OTP before 23.3.4.15, 24.x before 24.3.4.2, and 25.x before 25.0.2, there is a Client Authentication Bypass in certain client-certification situations for SSL, TLS, and DTLS.

Score:
cve_id status cvss3Score av ac pr ui ai
CVE-2022-37026 fixed 9.8 N L N N H

References:
['erlang-asn1_1:23.2.6+dfsg-1_amd64.deb===>erlang-asn1_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-base_1:23.2.6+dfsg-1_amd64.deb===>erlang-base_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-crypto_1:23.2.6+dfsg-1_amd64.deb===>erlang-crypto_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-eldap_1:23.2.6+dfsg-1_amd64.deb===>erlang-eldap_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-ftp_1:23.2.6+dfsg-1_amd64.deb===>erlang-ftp_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-inets_1:23.2.6+dfsg-1_amd64.deb===>erlang-inets_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-mnesia_1:23.2.6+dfsg-1_amd64.deb===>erlang-mnesia_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-os-mon_1:23.2.6+dfsg-1_amd64.deb===>erlang-os-mon_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-parsetools_1:23.2.6+dfsg-1_amd64.deb===>erlang-parsetools_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-public-key_1:23.2.6+dfsg-1_amd64.deb===>erlang-public-key_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-runtime-tools_1:23.2.6+dfsg-1_amd64.deb===>erlang-runtime-tools_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-snmp_1:23.2.6+dfsg-1_amd64.deb===>erlang-snmp_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-ssl_1:23.2.6+dfsg-1_amd64.deb===>erlang-ssl_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-syntax-tools_1:23.2.6+dfsg-1_amd64.deb===>erlang-syntax-tools_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-tftp_1:23.2.6+dfsg-1_amd64.deb===>erlang-tftp_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-tools_1:23.2.6+dfsg-1_amd64.deb===>erlang-tools_1:23.2.6+dfsg-1+deb11u1_amd64.deb', 'erlang-xmerl_1:23.2.6+dfsg-1_amd64.deb===>erlang-xmerl_1:23.2.6+dfsg-1+deb11u1_amd64.deb']

Tags:

CVE References

2022-37026

Yue Tao (wrytao) on 2023-05-06

information type:	Public → Public Security
Changed in starlingx:
status:	New → Triaged
importance:	Undecided → High
tags:	added: stx.9.0 stx.security

Zhixiong Chi (zhixiongchi) on 2023-05-09

Changed in starlingx:
assignee:	nobody → Zhixiong Chi (zhixiongchi)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2023-05-11: Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/882804
Committed: https://opendev.org/starlingx/tools/commit/3ce45d4dd5dfecef18e92fca0983abb2299df50b
Submitter: "Zuul (22348)"
Branch: master

commit 3ce45d4dd5dfecef18e92fca0983abb2299df50b
Author: Zhixiong Chi <email address hidden>
Date: Mon May 8 14:24:00 2023 +0800

erlang: fix CVE-2022-37026

    Upgrade erlang sub-packages to 23.2.6+dfsg-1+deb11u1
    erlang-asn1_23.2.6+dfsg-1+deb11u1
    erlang-base_23.2.6+dfsg-1+deb11u1
    erlang-crypto_23.2.6+dfsg-1+deb11u1
    erlang-dev_23.2.6+dfsg-1+deb11u1
    erlang-diameter_23.2.6+dfsg-1+deb11u1
    erlang-edoc_23.2.6+dfsg-1+deb11u1
    erlang-eldap_23.2.6+dfsg-1+deb11u1
    erlang-erl-docgen_23.2.6+dfsg-1+deb11u1
    erlang-eunit_23.2.6+dfsg-1+deb11u1
    erlang-ftp_23.2.6+dfsg-1+deb11u1
    erlang-inets_23.2.6+dfsg-1+deb11u1
    erlang-mnesia_23.2.6+dfsg-1+deb11u1
    erlang-odbc_23.2.6+dfsg-1+deb11u1
    erlang-os-mon_23.2.6+dfsg-1+deb11u1
    erlang-parsetools_23.2.6+dfsg-1+deb11u1
    erlang-public-key_23.2.6+dfsg-1+deb11u1
    erlang-runtime-tools_23.2.6+dfsg-1+deb11u1
    erlang-snmp_23.2.6+dfsg-1+deb11u1
    erlang-ssh_23.2.6+dfsg-1+deb11u1
    erlang-ssl_23.2.6+dfsg-1+deb11u1
    erlang-syntax-tools_23.2.6+dfsg-1+deb11u1
    erlang-tftp_23.2.6+dfsg-1+deb11u1
    erlang-tools_23.2.6+dfsg-1+deb11u1
    erlang-xmerl_23.2.6+dfsg-1+deb11u1

Refer to:
https://security-tracker.debian.org/tracker/CVE-2022-37026

TestPlan:
PASS: downloader
-a -c
/> Installation.
-l |grep erlang-
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
/>runtime-tools 1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1
1:23.2.6+dfsg-1+deb11u1

Closes-Bug: 2018636

Signed-off-by: Zhixiong Chi <email address hidden>
Change-Id: I34900d3c94c08bbd00a9ca60bdcfb76b1531bd1b

Reviewed:  https://review.opendev.org/c/starlingx/tools/+/882804
Committed: https://opendev.org/starlingx/tools/commit/3ce45d4dd5dfecef18e92fca0983abb2299df50b
Submitter: "Zuul (22348)"
Branch:    master

commit 3ce45d4dd5dfecef18e92fca0983abb2299df50b
Author: Zhixiong Chi <zhixiong.chi@windriver.com>
Date:   Mon May 8 14:24:00 2023 +0800

erlang: fix CVE-2022-37026
    
    Upgrade erlang sub-packages to 23.2.6+dfsg-1+deb11u1
    erlang-asn1_23.2.6+dfsg-1+deb11u1
    erlang-base_23.2.6+dfsg-1+deb11u1
    erlang-crypto_23.2.6+dfsg-1+deb11u1
    erlang-dev_23.2.6+dfsg-1+deb11u1
    erlang-diameter_23.2.6+dfsg-1+deb11u1
    erlang-edoc_23.2.6+dfsg-1+deb11u1
    erlang-eldap_23.2.6+dfsg-1+deb11u1
    erlang-erl-docgen_23.2.6+dfsg-1+deb11u1
    erlang-eunit_23.2.6+dfsg-1+deb11u1
    erlang-ftp_23.2.6+dfsg-1+deb11u1
    erlang-inets_23.2.6+dfsg-1+deb11u1
    erlang-mnesia_23.2.6+dfsg-1+deb11u1
    erlang-odbc_23.2.6+dfsg-1+deb11u1
    erlang-os-mon_23.2.6+dfsg-1+deb11u1
    erlang-parsetools_23.2.6+dfsg-1+deb11u1
    erlang-public-key_23.2.6+dfsg-1+deb11u1
    erlang-runtime-tools_23.2.6+dfsg-1+deb11u1
    erlang-snmp_23.2.6+dfsg-1+deb11u1
    erlang-ssh_23.2.6+dfsg-1+deb11u1
    erlang-ssl_23.2.6+dfsg-1+deb11u1
    erlang-syntax-tools_23.2.6+dfsg-1+deb11u1
    erlang-tftp_23.2.6+dfsg-1+deb11u1
    erlang-tools_23.2.6+dfsg-1+deb11u1
    erlang-xmerl_23.2.6+dfsg-1+deb11u1
    
    Refer to:
    https://security-tracker.debian.org/tracker/CVE-2022-37026
    
    TestPlan:
    PASS: downloader
    PASS: build-pkgs -a -c
    PASS: build-image
    PASS: Jenkins Installation.
    PASS: dpkg -l |grep erlang-
    ii  erlang-asn1                   1:23.2.6+dfsg-1+deb11u1
    ii  erlang-base                   1:23.2.6+dfsg-1+deb11u1
    ii  erlang-crypto                 1:23.2.6+dfsg-1+deb11u1
    ii  erlang-eldap                  1:23.2.6+dfsg-1+deb11u1
    ii  erlang-ftp                    1:23.2.6+dfsg-1+deb11u1
    ii  erlang-inets                  1:23.2.6+dfsg-1+deb11u1
    ii  erlang-mnesia                 1:23.2.6+dfsg-1+deb11u1
    ii  erlang-os-mon                 1:23.2.6+dfsg-1+deb11u1
    ii  erlang-parsetools             1:23.2.6+dfsg-1+deb11u1
    ii  erlang-public-key             1:23.2.6+dfsg-1+deb11u1
    ii  erlang-runtime-tools          1:23.2.6+dfsg-1+deb11u1
    ii  erlang-snmp                   1:23.2.6+dfsg-1+deb11u1
    ii  erlang-ssl                    1:23.2.6+dfsg-1+deb11u1
    ii  erlang-syntax-tools           1:23.2.6+dfsg-1+deb11u1
    ii  erlang-tftp                   1:23.2.6+dfsg-1+deb11u1
    ii  erlang-tools                  1:23.2.6+dfsg-1+deb11u1
    ii  erlang-xmerl                  1:23.2.6+dfsg-1+deb11u1
    
    Closes-Bug: 2018636
    
    Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
    Change-Id: I34900d3c94c08bbd00a9ca60bdcfb76b1531bd1b

Changed in starlingx:
status:	In Progress → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.